Read the first part of my ATT&CK series
Read the second part of my ATT&CK series
Read the third part of my ATT&CK series
Ransomware Today, instead of working based on a supposed activity sector of my company, as I did in my last entry, I’m going to work on the most famous and common threat.
Ransomware continues to be the main threat for most companies of all sizes and across all sectors, as multiple reports from CTI companies demonstrate for the last few years.
[Read More]
Improve your detections with the ATT&CK Framework Part 3
See part 1 of this series here
See part 2 of this series here
Prioritizing new detections Today we continue our journey to improve our network detections. The next step is incorporating real-world threat data. Last time, we got an ATT&CK navigator layer where we identified which TTPs we have visibility but no detections. You can see the results with this JSON layer. This is just an example, not based in reality, although I’ve seen similar scenarios in real life :).
[Read More]
Using the Top Techniques calculator from CTID
Top ATT&CK Techniques Today I wanted to show a little bit how to use the new tool released by the Center for Threat-Informed Defense the Top ATT&CK Techniques calculator, which can be accessed here. The main purpose of the new project and the calculator is to help determining where to invest our efforts to defend our network. I you followed my series in how to improve detections with the ATT&CK Framework, you are in a perfect position to take advantage of this tool.
[Read More]
Do you know which Vulnerabilities your Scanner is missing?
Is your Vulnerability Management Tool able to detect all vulnerabilities in your network? I got the inspiration for this post after reading this entry from Alexander Leonov. He investigates the blind spots on the Vulnerability Scanners databases, and how we may assume that any new and old vulnerability ever published will be identified by our shiny tool for which we pay a substantial license. As he explains that’s not actually true, and uses as reference the excellent CISA Known Exploited Vulnerabilities catalog.
[Read More]
Improve your detections with the ATT&CK Framework Part 2
See part 1 of this series here
Visibility Last time we left with our data sources mapped to ATT&CK framework and already can see where we might be missing attacks to our network. Now let’s go a step further and get visibility scored based in our data sources plus our knowledge of the network. For that, we start the docker container for DeTTECT:
docker start -i dettect Then we use the data sources file we generated in the first part - you can use my example file from here - to generate the techniques administration file with this command:
[Read More]
Get Known Exploited Vulnerabilities in your network with Tenable API
Today, let’s see a practical application of the Tenable.sc API analysis endpoint. We’ll use the list of known exploited vulnerabilities provided by CISA and compare the CVEs to the results of our scans. This will give us a list of active unpatched CVEs in our network that should be prioritized, as they are being used in real world attacks.
Known Exploited Vulnerabilities(KEV) CISA kindly provides a CSV file with all the vulnerabilities in their catalog of known exploited vulnerabilities; we can download it here
[Read More]
Playing with Tenable.sc Analysis endpoint
Today we are going to play with the analysis API endpoint of Tenable.sc using filters directly, no pre-saved queries. That gives us the same flexibility as working on the GUI.
The tricky part is getting the structure of the requests right; I’ll give a detailed explanation of how to do it in PowerShell so you don’t have to suffer yourself 🙂
As usual, I’m going to use PowerShell for the whole process.
[Read More]
Automate offline Tenable plugin updates
Today we are going to work on something related to vulnerability management, but more for a tool manager role related job, which is to keep everything up to date and properly configured so analysts can do their job. If you have a Vulnerability Management infrastructure with Tenable.sc that is air gapped, you will need to update plugins offline.
Air gapped networks When you are connected to internet from your Tenable.sc server, everything is easy and smooth, but if you don’t have that option because you are in a network where internet connectivity is not allowed, then you need to work on automating the process, otherwise it’s a pain to manually download the plugins and then go to the GUI in Tenable.
[Read More]
Playing with the Tenable.sc API and PowerShell
Here I start a new series of posts where I’ll show how to work with the Tenable.sc API using PowerShell as the scripting language. There is an amazing Python library, pyTenable, which I recommend if you can use Python in your environment, but if you for whatever reason cannot use Python - I might know somebody with that problem 😉 - or you just want to learn an alternative, this is the place!
[Read More]
Improve your detections with the ATT&CK framework
I also want to use the ATT&CK Framework If you want to improve the detections and the effectiveness of your SOC against attacks targeting your organization, the hottest thing right now is the ATT&CK framework and Threat informed defense.
However, if you don’t have the resources to hire external consultants to setup this for you, it can be overwhelming for small organizations to get onboard the ATT&CK ship.
I’m going to try and ease the process for you, the only prerequisite is that you know your organization, your own network and what you are logging right now.
[Read More]